Expand my Community achievements bar.

SOLVED

Question about upgrading 5.6.1 to 6.3 Authenticator/LoginModule combo

Avatar

Level 2

Hi, we're in the process of upgrading a project to 6.3 from 5.6.1

Most of it is already working, but we're hitting a wall with the current implementation of the custom AuthenticationHandler and the LoginModule.

Currently, the AuthenticationHandler seems to be doing it's job correctly, as in it communicate with the external services, gets the user info back, and provide an AuthenticationInfo back.

That said, right after that, its authenticationFailed feedback handle gets called.  Which I'm assuming is due to the OOTB LoginModules.

What's the path of least resistance in going forward, we don't want to rewrite the whole AuthenticationHandler, the user info already means it was authenticated successfully to the SSO server.

What we need now is simply getting a LoginModule that would approve that user, which is where I'm mostly scratching my head, as most samples seems to assume authentication hasn't been made yet or something, and will be done at the LoginModule level instead (unless I'm mistaken here)

I kind of was able to do some JAAS LoginModule (not using the External one) but using a

<Jaas-ModuleClass>myclass.ExternalLoginModule</Jaas-ModuleClass>

Adding the JAAS config in Felix, and somehow it almost "work" but the thing is, the LoginModule is literally being called every 2 seconds like crazy, so obviously not the right way.

Is there a way of doing this with our current AuthenticationHandler, and a LoginModule that doesn't requires an ExternalProvider?

Any insights would be greatly appreciated

1 Accepted Solution

Avatar

Correct answer by
Level 2

Well, I figured it out, I forgot a very important block of code in the commit function,

Set<? extends Principal> principals = getPrincipals(user.getID());
if(!principals.isEmpty()) {

   if(!subject.isReadOnly()) {

   subject.getPrincipals().addAll(principals);
  if(credentials!=null) {

   subject.getPublicCredentials().add(credentials);
   }

   setAuthInfo(createAuthInfo(user.getID(), credentials, principals), subject);
   }

}

I forgot to include the lines about the "subject" before the setAuthInfo.

Leaving this in case someone else had a similar issue trying to implement a custom login module.

View solution in original post

2 Replies

Avatar

Level 2

I'm at my wits' end on this.  I think I got 95% of it done, but I'm hitting a wall and really need some help figuring this out.

Our Authentication handler already deal with contacting our third party server for authentication, and every info is in it's Credentials.

The External Login module gets called correctly, the "login()" implementation works, and our commit implementation is also being called.

In the commit, we take the user from the UserManager from the AbstractLoginModule to get the AEM user based on the ID in the Credentials, if it user does not exist, we create it with the UM, and we call getRoot().commit() to save the user.

From that user and it's credential, we get it's Principals, and create an authInfo that we set in with the "setAuthInfo" function.

So far so good.

Now the issue.  once all this is done, we return "true".  And this is where all hell breaks loose. Now, all access to AEM returns 404's and in the errors.log we see this

06.10.2017 15:15:13.195 *ERROR* [qtp1207285635-110] org.apache.jackrabbit.oak.core.ContentSessionImpl Error during logout.

javax.security.auth.login.LoginException: Login Failure: all modules ignored

If we return "false" in our commit, then business as usual (but the AuthenticationHandler receives a "AuthenticationFailed" obviously.

I really need help or any insights in this, there's barely any actual example of a NON LDAP login module out there.

Avatar

Correct answer by
Level 2

Well, I figured it out, I forgot a very important block of code in the commit function,

Set<? extends Principal> principals = getPrincipals(user.getID());
if(!principals.isEmpty()) {

   if(!subject.isReadOnly()) {

   subject.getPrincipals().addAll(principals);
  if(credentials!=null) {

   subject.getPublicCredentials().add(credentials);
   }

   setAuthInfo(createAuthInfo(user.getID(), credentials, principals), subject);
   }

}

I forgot to include the lines about the "subject" before the setAuthInfo.

Leaving this in case someone else had a similar issue trying to implement a custom login module.